Educational article

Cybersecurity Alert: Watch Out for Email Impersonation and QR Code Scams

📧 Business Email Compromise (BEC) – Invoice Scam

📱 QR Code Scam

We would also like to remind University members of the increasing risk associated with QR codes. While QR codes offer convenience and efficiency, they also pose significant security threats that can compromise personal and organisational data.

Key Risks of QR Codes:

Malicious URLs: Cybercriminals can embed QR codes with malicious URLs that, when scanned, can download malware onto your device or redirect you to phishing websites designed to steal personal information

Overlay Attacks: Attackers may place malicious QR codes over legitimate ones, leading unsuspecting users to fraudulent websites or applications

Third-Party QR Code Scanners: Using third-party QR code scanning applications that aren't built into your phone can make your device less secure. These apps might ask for permissions that could be used to access your private information

How to stay safe:

✅ Avoid scanning QR codes from unofficial or suspicious-looking signs. Always ensure the QR code is from a trusted and legitimate source before scanning.

✅ Double-check the URL that pops up after scanning — is it the correct URL intended; does it look legitimate?

✅ For campus services like parking, access links through the official university website or app.

✅ Use Trusted Apps: Use the built-in QR code scanner on your smartphone rather than third-party apps.

✅ Be Cautious with Emails: Avoid scanning QR codes from unsolicited emails or messages.

✅ Report any damaged or suspicious QR signage immediately toIT Help desk.

Let’s stay vigilant together.

In the world of cybersecurity, we often say, “You're only as strong as your weakest link.” For KNP, a 158-year-old printing and logistics company in the UK, that weakest link was a single password—and it cost them everything.

KNP fell victim to a ransomware attack that exploited a weak employee password. Once inside, cybercriminals encrypted the company’s systems and demanded a ransom. The attack was so severe that KNP couldn’t recover. The result? 700 employees lost their jobs, and a historic company was forced to shut its doors.

The most chilling part? The employee whose password was compromised still doesn’t know it was theirs. As one of the directors put it:

“Would you want to know if it was you?”

This wasn’t a sophisticated zero-day exploit or a nation-state attack. It was a basic password vulnerability—something every organisation can and should defend against.

1. Passwords are not enough
   Weak or reused passwords are a hacker’s best friend. Ensure you use strong password and password managers to help manage your password more securely.
2. Enable Multi-Factor Authentication (MFA)
   Even if a password is compromised, MFA can stop attackers in their tracks. Never share them with anyone else.
3. Completion of Training
   Everyone constitutes a first line of defence. We are as strong as our weakest link. Undertaking regular bite size security awareness training can help us recognise risks and adopt safer behaviours.
4. Have a recovery plan and let us know when you think something is wrong
   Backups, incident response plans, regular drills and informing IDG or your school IT, can mean the difference between recovery and collapse.

The KNP story is a tragic reminder thatcybersecurity is not just an IT issue—it’s a business survival issue. One weak password can bring down an entire company. Don’t let ours be next.

For more details on this real world example, see BBCLink opens in a new window

Alex, a university student, received an email that appeared to be from the university’s IT department. The email claimed that there was an urgent issue with his account and that he needed to verify his details by clicking on a link provided in the email.

Subject: Urgent: Verify Your University Account

From: IT Supportit-support@warwickuniversity-verify.comLink opens in a new windowLink opens in a new window

To: Alex

Dear User,

We have detected unusual activity on your university account. To ensure the security of your personal information, please verify your account immediately. Failure to do so will result in the suspension of your account.

Please click the link below to verify your account:

Verify Your AccountLink opens in a new windowLink opens in a new window

Thank you for your prompt attention to this matter.

Sincerely,
IT Support Team
Warwick University

What should Alex do?

A few things came to Alex's memory:

1. The email looked official with a professional tone, however, Alex knows that a genuine email should not be generic. This one started with "Dear User" instead of addressing him by name

2. He noted the sense of urgency and threat in the email as they mentioned "account suspension" if he didn't act immediately to create panic

3. He hovered over the link and noted the URL does not match the university's official website.

Action Taken:Instead of clicking the link, Alex decided to verify the email’s authenticity. He contacted IDG directly using the contact information on the official IDG website.

Outcome: IDG confirmed that the email was a phishing attempt. By not clicking the link, Alex avoided potentially compromising his personal information.

Key Takeaways:

1. Be Sceptical: Always be cautious of emails that create a sense of urgency or use threats.
2. Check the Sender: Verify the sender’s email address and look for any inconsistencies.
3. Inspect Links: Hover over links to see the actual URL before clicking. If it looks suspicious, don’t click.
4. Verify Directly: If in doubt, contact the department directly using official contact information.